VPN View of LAN
I have setup a VPN connection to my office and it appears to be operating as promised. When I log in remotely using VPN, I use my servers fully qualified name with "Connect to Server" menu selection to access the files on my server.
Is there anyway to view (in the shared portion of the window) the other machines on the LAN using a VPN connection? Is there a setup item I missed, or is it not possible to view these computers?
I can view the other client computers when I connect locally to my LAN.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/productsconfigurationexample09186a00806f34e6.shtml
It can be done, but actual configuration may vary between vpn software brand.
Similar Messages
-
Can ASA5505 forward remote-access-VPN clients to LAN
I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
Are these two cases possible?:
(1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
(2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
Thanks.I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA. -
Remote Access VPN clients on LAN IP range
I need to setup a VPN Client configuration where the clients receive an IP on the LAN IP address range.
Attached is my config with the pool in its own range.(non-pertinent configuration excluded)
I've modified my pool to place the clients in a range within the LAN ip scheme. I have also modified my 110 ACL to exclude the NAT and my 111 ACL to allow for split-tunneling by the client.
When I connect, I get the proper address but I am unable to ping any devices internally.
Any suggestions as to the configuration or troubleshooting would be appreciated. I have seen documentaiton that it will not work in the form of TAC cases and config guides, but they were specific to ASA and Pix devices. I have not found any configuration guides of IOS routers showing examples of this configuration, but I did see mention in a config guide that said "if you assign addresses from a non-local subnet" which tells me that it is an option to assign local addresses.Ok, let's go
you should assign a pool that has a diferent range than your internal like
ip pool vpn_pool 10.0.0.1 10.0.0.10
then you must NAT it to make it seems it came from inside to whatever you want to be the destination, then do the following
configure your external interface as "nat outside"
fastethernet 0/0
ip nat outside
Configure your internal interface as "nat inside"
fastethernet 0/1
ip nat inside
configure the NAT
ip nat outside sourse static network 10.0.0.0 192.168.0.0 255.255.255.240
please rate if helps -
Remote access VPN access across LAN-to-LAN VPN
I have two sites (site 1 & site 2) connected by a LAN-to-LAN VPN. At site 1, users connect with a remote access VPN and need to be able to access resources at site 2.
I started out with same-security-traffic intra-interface configured.
Here is the output from both ASAs:
NM-ASA# show crypto isakmp sa
Active SA: 6
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 74.138.171.237
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
4 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
5 IKE Peer: 74.138.126.195
Type : user Role : responder
Rekey : no State : AM_ACTIVE
6 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
NM-ASA#
NM-ASA# sho crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.5/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.5
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5E0D76C9
inbound esp sas:
spi: 0x969790AD (2526515373)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000003 0xFFFFFFFF
outbound esp sas:
spi: 0x5E0D76C9 (1577940681)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.6/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.6
#pkts encaps: 1368, #pkts encrypt: 1368, #pkts digest: 1368
#pkts decaps: 945, #pkts decrypt: 945, #pkts verify: 945
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1368, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 968FF103
inbound esp sas:
spi: 0xA49C8920 (2761722144)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28703
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x968FF103 (2526015747)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28702
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
#pkts decaps: 270, #pkts decrypt: 270, #pkts verify: 270
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 352, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 773AB6C7
inbound esp sas:
spi: 0xD34E0435 (3545105461)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914940/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x773AB6C7 (2000336583)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914941/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.128.0 255.255.224.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 26, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 66CD02A3
inbound esp sas:
spi: 0x531B430A (1394295562)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x01FFFFFF
outbound esp sas:
spi: 0x66CD02A3 (1724711587)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.7/255.255.255.255/0/0)
current_peer: 74.138.126.195, username: jnord
dynamic allocated peer ip: 10.1.20.7
#pkts encaps: 990, #pkts encrypt: 990, #pkts digest: 990
#pkts decaps: 1429, #pkts decrypt: 1429, #pkts verify: 1429
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 990, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 3
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.126.195
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 62241B76
inbound esp sas:
spi: 0xB1F2F97B (2985490811)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x62241B76 (1646533494)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.4/255.255.255.255/0/0)
current_peer: 74.138.171.237, username: cbulmahn
dynamic allocated peer ip: 10.1.20.4
#pkts encaps: 832, #pkts encrypt: 832, #pkts digest: 832
#pkts decaps: 620, #pkts decrypt: 620, #pkts verify: 620
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 832, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.171.237
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 64CD5FBE
inbound esp sas:
spi: 0xCDFCE528 (3455903016)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x64CD5FBE (1691180990)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 5228, #pkts encrypt: 5228, #pkts digest: 5228
#pkts decaps: 5246, #pkts decrypt: 5246, #pkts verify: 5246
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5229, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3200F1CB
inbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373446/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373496/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.111.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 296, #pkts decrypt: 296, #pkts verify: 296
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 321, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EC77AF32
inbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373950/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373936/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.112.0 255.255.240.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 2910, #pkts encrypt: 2910, #pkts digest: 2910
#pkts decaps: 3794, #pkts decrypt: 3794, #pkts verify: 3794
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2996, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EEDD3278
inbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370659/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373556/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.128.0 255.255.224.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3034, #pkts encrypt: 3034, #pkts digest: 3034
#pkts decaps: 3748, #pkts decrypt: 3748, #pkts verify: 3748
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3034, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D1F3CBED
inbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370712/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373429/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
NM-ASA#
QSRCORPFW# sho crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
QSRCORPFW# sho crypto ipsec sa
interface: WAN
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list PEAK10VPN permit ip 192.168.0.0 255.255.192.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 2162, #pkts encrypt: 2162, #pkts digest: 2162
#pkts decaps: 1761, #pkts decrypt: 1761, #pkts verify: 1761
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2162, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BDC6A8EE
inbound esp sas:
spi: 0x966B78C0 (2523625664)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914547/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBDC6A8EE (3183913198)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914652/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.10.6/255.255.255.255/0/0)
current_peer: 74.128.145.69, username: administrator
dynamic allocated peer ip: 10.1.10.6
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 74.128.145.69
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 0ED4D561
inbound esp sas:
spi: 0x70133356 (1880306518)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28521
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0001FFFF
outbound esp sas:
spi: 0x0ED4D561 (248829281)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28508
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.111.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 350, #pkts encrypt: 350, #pkts digest: 350
#pkts decaps: 379, #pkts decrypt: 379, #pkts verify: 379
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 350, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 16C7E578
inbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914923/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914939/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.112.0 255.255.240.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 5270, #pkts encrypt: 5270, #pkts digest: 5270
#pkts decaps: 4314, #pkts decrypt: 4314, #pkts verify: 4314
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5270, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9FAA12E6
inbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914358/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911355/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 11323, #pkts encrypt: 11323, #pkts digest: 11323
#pkts decaps: 11262, #pkts decrypt: 11262, #pkts verify: 11262
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11323, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10DEE5CE
inbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914033/28461)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3913939/28459)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.128.0 255.255.224.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4206, #pkts encrypt: 4206, #pkts digest: 4206
#pkts decaps: 3490, #pkts decrypt: 3490, #pkts verify: 3490
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4206, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C688B5D
inbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914326/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911559/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
QSRCORPFW# -
VPN Connect Kills LAN iChat Jabber
We use Jabber for internal LAN communications. I have a VPN set up to another office for file sharing and ARD.
As soon as I connect the VPN, Jabber goes down on my computer.
If I terminated the VPN connection, Jabber re-connects. It's repeatable each time.
Sounds like a port conflict but I don't know where to start looking...Jabber in iChat users ports 5220, 5222, 5223 on TCP.
5223 is older Jabber servers and GoogleTalk logins.
5222 is most Jabber Logins
5220 is for other stuff like file sending within Jabber.
http://support.apple.com/kb/HT1507?viewlocale=en_US
Apple Remote Desktop normally uses port 5988 where as VPN usually uses port 5900
http://support.apple.com/kb/TS1629
That should get you started.
10:39 PM Tuesday; May 5, 2009
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat" -
I have a Database on Oracle 10g R1 on Windows 2003 server. I have created materialized view logs on this database with
"CREATE MATERIALIZED VIEW LOG ON <BASE_TABLE> TABLESPACE <tablespace>
NOCACHE
LOGGING
NOPARALLEL WITH ROWID, PRIMARY KEY EXCLUDING NEW VALUES;"
I have created materialized view on my Desktop database (Oracle Express Edition).
I can generate the materialized view on XE from these mvlogs
I created the database link
CREATE PUBLIC DATABASE LINK DBLNK CONNECT TO <central_user> IDENTIFIED BY <central_user_passwd> USING '<central_db_sid>';
The script to create the materialized view on XE is
CREATE MATERIALIZED VIEW <MVIEW_NAME>
NOCACHE
LOGGING
NOCOMPRESS
NOPARALLEL
BUILD IMMEDIATE
REFRESH FAST ON DEMAND
WITH PRIMARY KEY
AS
SELECT *
FROM <base table>@DB_LINK ;
1.) When I create the materailized view on LAN, it is working.
2.) But when I try to create the same on Oracle XE over VPN, so that I do not have to connect to main database On VPN, it just hangs.
3.) I am using Cisco VPN connection.
4.) I am able to access the tables as "select * from <table>@dblnk", so the database link is working, but I cannot create the materialized view.
5.) Please note that the Global names are not set on any of the databases.
6.) I checked the v%session_wait, and I get WAIT_CLASS as NETWORK.
7.) But I do not get any session while this Create script is fired on VPN on the Central Database in v$session.
8.) But when I do “select * from <table>@dblnk" I get this connection in v$session on the central database.
9.) The Global Names setting is FALSE at the main database and the XE end also.
--> If the database link is working, and on LAN with same setting of the XE databases it is working, it should work on VPN also, right?
--> I am able to tnsping to the main 10g R1 database on Windows 2003 server. I am able to log in to the database, access the tables and do everything,
but not able to create the materialized view on my XE database over the VPN.
So the most important question is
A.) Can the Materialized views be created over VPN?
B.) Is there some problem with the Global Names settings in database?What do you mean by "complex query"? Oracle defines a complex query as one that cannot be fast refreshable, so that you could not get a delta. Many queries that people would describe as complex, however, are not technically complex in an Oracle replication context or can be made non-complex.
Justin -
How to config vpn pool on asa5510 in a Multi-hop routing lan?
home----internet----asa5510(172.16.0.1/30)----(172.16.0.2/30)Internet behavior management(172.16.0.5/30)----(172.16.0.6/30)LAN(192.168.1.0/24)
I want to use 'remote access ipsec vpn' to connect LAN(192.168.1.0/24),but i don't konw how to config vpn pool on asa 5510.
Does someone kown how to do?Hi,
The VPN Pool could be pretty much any network/subnet.
The amount of routing hops on the LAN network doesnt really matter. The ASA should have a route for the LAN network so it can forward the VPN user traffic there. The return traffic from the LAN to the VPN user should be forwarded with the default route of the network devices. If your default route isnt pointing to this ASA then you naturally need to add a route for the VPN Pool on your LAN devices.
Though I am not sure I have understood your question completely.
- Jouni -
Need Help on Site to Site VPN configuration
I have Site to Site VPN between myself and my client. I have done PAT for my Internal LAN subnets and have established tunnel between myself and client. I am able to access their servers from my LAN over VPN and it works fine.
Now there is a requirement where client require to access one of the server over S2S vpn in my LAN. I added that Server IP in the encryption domain and its getting PAT as other LAN Subnets. The client also allowed that access into their firewall. The client can see the packets hitting their firewall but i don't see any hits on my firewall. I ran capture and also added an acl to allow that access over the outside interface.
I configured capture and found that packets are reaching firewall but i am seeing SaAB flag in show connection detail output. Does it mean that PAT is not working properly and i need to create Static NAT for that access.
Thanks in Advance.
Regards,
AnkitYou can however do the following.
Setup a policy based static nat for traffic going from 192.168.1.10 to 192.168.2.0/24. Translate this to something that does not overlap. Assuming we translate this to 192.168.3.10. Then you'll put 3.10 in the crypto acl going towards 192.168.2.0/24 and vice versa on the far end.
Regards,
Aseem
**** You can forward this email invitation to attendees ****
Hello ,
Please join my meeting that is currently in progress.
Topic: VPN
Date: Tuesday, December 10, 2013
Time: 11:52 am, Pacific Standard Time (San Francisco, GMT-08:00)
Meeting Number: 202 081 664
Meeting Password: cisco
To join the online meeting (Now from mobile devices!)
1. Go to https://ciscosales.webex.com/ciscosales/e.php?AT=MI&EventID=247556192&UID=0&PW=NNDk5MzQxYzEz&RT=MiM0
2. Enter your name and email address.
3. Enter the meeting password: cisco
4. Click "Join Now".
5. Follow the instructions that appear on your screen.
To view in other time zones or languages, please click the link:
https://ciscosales.webex.com/ciscosales/e.php?AT=MI&EventID=247556192&UID=0&PW=NNDk5MzQxYzEz&ORT=MiM0
ALERT – PLEASE READ: DO NOT DIAL THE TOLL FREE NUMBERS FROM WITHIN THE (408) OR (919) AREA CODES
Please dial the local access number for your area from the list below:
- San Jose/Milpitas (408) area: 525-6800
- RTP (919) area: 392-3330
Dialing the WebEx toll free numbers from within 408 or 919 area codes is not enabled (non-Cisco phones). “ If you dial the toll-free numbers within the 408 or 919 area codes you will be instructed to hang up and dial the local access number.” Please use the call-back option whenever possible and otherwise dial local numbers only. The affected toll free numbers are: (866) 432-9903 for the San Jose/Milpitas area and (866) 349-3520 for the RTP area.
To join the teleconference only
1. Dial into Cisco WebEx (view all Global Access Numbers at
http://cisco.com/en/US/about/doing_business/conferencing/index.html
2. Follow the prompts to enter the Meeting Number (listed above) or Access Code followed by the # sign.
San Jose, CA: +1.408.525.6800 RTP: +1.919.392.3330
US/Canada: +1.866.432.9903 United Kingdom: +44.20.8824.0117
India: +91.80.4350.1111 Germany: +49.619.6773.9002
Japan: +81.3.5763.9394 China: +86.10.8515.5666
For assistance
1. Go to https://ciscosales.webex.com/ciscosales/mc
2. On the left navigation bar, click "Support".
You can contact me at:
[email protected]
1-408-895 7679
http://www.webex.com
CCP:+14085256800x202081664#
IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation. Regards,Regards,
Aseem
Regards,
Aseem
Regards,
Aseem
Regards,
Aseem
Regards,
AseemRRe -
Hello, i have asa 5505. Users can connect to inside network (192.168.1.0) throught L2TP VPN and can ping inside network. Need to allow vpn users (192.168.2.0) to ping each other.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Local_LAN_Access_l2tp remark l2tp Client Local LAN Access
access-list Local_LAN_Access_l2tp standard permit 192.168.1.0 255.255.255.0
access-list Local_LAN_Access_l2tp standard permit 192.168.2.0 255.255.255.0
access-list vpn_l2tp extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list split-tunnel remark match Anyconn client to tunnel traffic
ip local pool l2tp-ipsec_address 192.168.2.100-192.168.2.114 mask 255.255.255.0
nat-control
global (inside) 2 192.168.1.101
global (inside) 3 192.168.1.102
global (outside) 1 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 2 access-list vpn
nat (outside) 3 access-list vpn_l2tp
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
vpn-addr-assign local reuse-delay 5
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 192.168.1.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Access_l2tpHello,
You will have to configure hair pinning / u turning to get this working. Make sure the vpn pool is allowed in the split access-list for L2TP clients.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
Hope this helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts. -
Problem with VPN by ASA 5505 and PIX 501
Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq] -
VPN trouble on total Apple network
I downloaded OS X server (clean install, nothing imported or migrated) for the first time yesterday on my home iMac w/ Yosemite 10.10.1. I thought VPN setup and access would be fairly straightforward, but i have had nothing but trouble. I obviously cant access the VPN outside the LAN, but even on the LAN, i cannot connect from any other devices. i have set this up on Mavericks before and had no issues at all (different machine, different network)
If someone can tell me how my home network and settings should be configured, i'll adjust it as necessary and then start trouble shooting from there with a slice of humble pie.
Network setup is as follows:
Cable Modem ---> Airport Time Capsule (ATC) ---*ethernet extension*---> Airport Express (AE) (extending existing network) ---> iMac w/ server plugged in ethernet to AE
1. The ATC is handling DHCP and NAT on the network (192.168.1.2 - .200)
(not sure what the port forward settings should be exactly, but this wouldn't explain why theres no LAN connection to VPN would it?)
2. imac has manual local ip of 192.168.1.20, with no active firewall in security settings
3. not using any registered domain, simply trying to connect via external ip on L2TP using shared secret and user credentials
4. only one user account on the system (myself as administrator)
5. VPN offering 5 client addresses for L2TP starting at 192.168.1.220
6. Under DNS settings on server VPN pane, 192.168.1.1 is listed as a "name server to connected clients" (no idea what this means) and my ISP's web address is listed as the only "search domain to connected clients"
7. No Routes configured
My ultimate goal for the process is to be able to login and VNC any machine on my home network from the internet i.e. office network, as well as network file sharing. PLEASE HELP! i will offer any more necessary info. thank you for your time.
-ChaseI downloaded OS X server (clean install, nothing imported or migrated) for the first time yesterday on my home iMac w/ Yosemite 10.10.1. I thought VPN setup and access would be fairly straightforward, but i have had nothing but trouble. I obviously cant access the VPN outside the LAN, but even on the LAN, i cannot connect from any other devices. i have set this up on Mavericks before and had no issues at all (different machine, different network)
If someone can tell me how my home network and settings should be configured, i'll adjust it as necessary and then start trouble shooting from there with a slice of humble pie.
Network setup is as follows:
Cable Modem ---> Airport Time Capsule (ATC) ---*ethernet extension*---> Airport Express (AE) (extending existing network) ---> iMac w/ server plugged in ethernet to AE
1. The ATC is handling DHCP and NAT on the network (192.168.1.2 - .200)
(not sure what the port forward settings should be exactly, but this wouldn't explain why theres no LAN connection to VPN would it?)
2. imac has manual local ip of 192.168.1.20, with no active firewall in security settings
3. not using any registered domain, simply trying to connect via external ip on L2TP using shared secret and user credentials
4. only one user account on the system (myself as administrator)
5. VPN offering 5 client addresses for L2TP starting at 192.168.1.220
6. Under DNS settings on server VPN pane, 192.168.1.1 is listed as a "name server to connected clients" (no idea what this means) and my ISP's web address is listed as the only "search domain to connected clients"
7. No Routes configured
My ultimate goal for the process is to be able to login and VNC any machine on my home network from the internet i.e. office network, as well as network file sharing. PLEASE HELP! i will offer any more necessary info. thank you for your time.
-Chase -
Anyconnect VPN peers cannot ping, RDP each other
I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1). I have a remote access VPN set up and the remote access users are able to log in and access LAN resources. I can ping the VPN peers from the remote LAN. My problem that the VPN peers cannot ping (RDP, ectc..) each other. Pinging one VPN peer from another reveals the following error in the ASA Log.
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure.
Below is my ASA running-config:
ASA Version 8.3(1)
hostname ciscoasa
domain-name dental.local
enable password 9ddwXcOYB3k84G8Q encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.128
domain-name dental.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network RAVPN
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark VPN client local LAN access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VpnPeers remark allow vpn peers to ping each other
access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level informational
logging rate-limit 1 600 level 6
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static RAVPN RAVPN
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
object network obj_any
nat (inside,outside) dynamic interface
object network RAVPN
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair billvpnkey
proxy-ldc-issuer
crl configure
crypto ca server
cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
issuer-name CN=ciscoasa
smtp from-address admin@ciscoasa
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
**hidden**
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 10bdec50
**hidden**
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.1.50-192.168.1.99 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
svc enable
tunnel-group-list enable
internal-password enable
smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value dental.local
webvpn
svc modules value vpngina
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
default-domain value dental.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.128
vpn-simultaneous-logins 4
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value RAVPN
split-tunnel-network-list value Local_LAN_Access
default-domain value dental.local
webvpn
url-list value DentalMarks
svc modules value vpngina
svc profiles value dellstudio type user
svc ask enable default webvpn
smart-tunnel enable SmartTunnelList
username wketchel1 password 5c5OoeNtCiX6lGih encrypted
username wketchel1 attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
username wketchel attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc modules none
svc profiles value DellStudioClientProfile type user
username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
username jenniferk attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
tunnel-group RAVPN ipsec-attributes
pre-shared-key *****
tunnel-group RAVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group WebSSLVPN type remote-access
tunnel-group WebSSLVPN webvpn-attributes
group-alias WebSSLVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 173.194.64.108
prompt hostname context
hpm topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: endHi,
Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
I would suggest the following changes
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object-group network PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
The above should enable
Dynamic PAT for LAN and VPN users
NAT0 for the traffic between LAN and VPN
NAT0 for traffic between VPN users
You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
no nat (inside,any) source static any any destination static RAVPN RAVPN
no nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no object network obj_any
no object network RAVPN
In the event that you dont want to change the configurations that much you might be fine just by adding this
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
- Jouni -
Hello. I am trying to access my cisco 831 behind another vendor's hardware firewall for VPN services. I have the VPN enabled on the inside interface. I am not using the outside interface at all. I basically want to use this device just for VPN services.
eg.
{Internet}-WAN->FIREWALL-> Forward VPN Services->CISCO831(LAN)
Can I forward ports at the firewall level to allow VPN connections on the cisco device?
If so, is there a way to relay the DHCP requests to my DHCP server rather than allocate a pool on the VPN device?
Thanks in advance.The DHCP protocol supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server address, and WINS address to hosts. Initially, DHCP clients have none of these configuration parameters. They obtain this information by sending a broadcast request for it. When a DHCP server sees this request, the DHCP server supplies the necessary information. Due to the nature of these broadcast requests, the DHCP client and server must be on the same subnet. Layer 3 devices such as routers and firewalls do not typically forward these broadcast requests by default.
Refer to the following document for more information
PIX/ASA 7.x as a DHCP Relay Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml -
Hello,
I have tried to read many of the existing posts about getting VPN's setup with OS X. Yet, I still am having trouble!!
I can establish a VPN tunnel either L2TP or PPTP and access the Server Admin settings via its application. So, I know that all of my VPN ports are open and working for VPN traffic.
What I can't do is connect to my server. It's my understanding and experience that once I have a VPN connection I should be able to access all services and machines as though I'm inside the network. I can access those services if I open the AFP port (548) for the "Any" group. But that defeats the purpose of having the VPN, since anyone could access the AFP protocol via our public IP.
Any thoughts??
Thanks,
RandyThanks for your reply. Sorry to have been unclear.
I am using NAT, public IP on En0 & private IP (192.168.2.x) on En1. AFP is not blocked on my LAN, 192.168.2-net, but is on the "Any" address group. If I allow AFP in the Any group then without a VPN tunnel the file server is accessible. Not good!
I read somewhere about the potential need to forward traffic from the ppp0 port to the LAN, but could find any settings that seemed to produce such an effect.
Since the VPN is assigning LAN IP addresses I should have LAN access to LAN resources, right?
Your last statement:
If your server is hanging with its ports in the public space then adjust the firewall rules to allow AFP connection from the local network only (e.g. 192.168.1.x or whatever internal subnet you're using). That way the extenal clients won't be able to get through the firewall, but the VPN clients will.
That is how I believe that I have thing setup, but the VPN clients can't connect to the server.
Thanks again for any insights...
Randy -
2 routers, 1 VPN, 1 PPPoE. How to put it all together?
Hi. Newbie so please be gentle!
I have an E2000 which I have been using succesfully with VPN for some time. I now want to be able choose whether or not to go through the VPN as it is considerably slower than going through my ISP.
Searching online it seems the simplest way is to add another router and simply choose which network to join depending on the access I want. Having found several 'helpful' wikis/forums I now have an additional E2500 and I have setup the two routers in series, with the non-VPN router connected to my ISP-provided modem and the VPN router connected LAN-WAN.
Now, what do I need to change on my VPN router to allow me to access the VPN? I have tried any number of suggested setups but none has worked. The closest I have come is connecting the two routers LAN-LAN and this got me internet access via both routers, but no VPN. The only hard and fast rule from my VPN provider is that the VPN router must be connected via it's WAN port.
Any ideas?Thanks guys. My connection is slower when I go via the VPN. It is for personal use as the country I'm in blocks a whole host of regular websites which they claim are "contrary to the cultural norms" (e.g. Cbeebies - the BBC website for pre-school children!). I also want to be able to watch UK TV.
As it happens, the problem is now solved. I went right back to basics, returned everything to factory defaults, updated firmware where appropriate and reloaded my VPN. No idea why it didn't work when I first set it up, but now it's up and running I'm going to leave well alone.
Thanks for your input.
Maybe you are looking for
-
FMP files no longer work after transfer
Hi All, I have a number of FMP 11 database files on an internal 2TB WD Black drive that I backup to an external WD 2TB Black drive connected via eSATA. When I try to open the files on the external I get an error message saying that the file could not
-
XMP metadata for Photo Libraries
I demo lightroom at shows for Adobe and one of the constant gripes I get, and spend a long time trying to convince punters I have no answer for, is that Lightroom doesn't interact at all well with some of the software that photo libraries use. I have
-
I have a slide show project which runs about 7:10 minutes. I want to use background music that consists of 2 songs. The first song is 3:11 minutes and the second song is 4:51 minutes. Even when I add transitions and more images, the second song lo
-
Missing Thumbnail Fix, at least for me
I had an extremely frustrating issue with missing thumbnails (dotted blank boxes) with iPhoto 6 that migrated to iPhoto 8 with no relief. I tried all the thumbnail and library rebuilding, and permission repair issues to no avail. In my case, the orig
-
what are the master record in MM other than material master and vendor master?